Add support for scanning multiple projects of any supported type
What does this MR do?
Adds support for executing multiple scans in a single run. Scans can be a mix of source projects (Android Studio, Eclipse, XCode) and binaries (.ipa
, .apk
), and any combination.
The analyser will attempt to walk the repository to collect a list of possible scanning entrypoints. The entrypoint is the containing folder for manifest-based scans, and the binary itself for binary-based scans. Each entrypoint will be uploaded to the MobSF instance running internally in the analyser container to be scanned. The scan results are processed to have the correct file paths, and are then be merged into a single gl-sast-report.json
. This report provides a comprehensive view of all supported sources and binaries in the repository.
The following types of scans are supported:
- Android Studio projects (via
AndroidManifest.xml
) - Eclipse projects (via
AndroidManifest.xml
) - Android binaries (via
.apk
)
The following scans technically work, but we don't parse the results yet:
- iOS binaries (via
.ipa
)
What are the relevant issue numbers?
- Replaces gitlab-org/gitlab#386549 (closed)
- Eliminates the need for gitlab-org/gitlab#408949 (closed)
- Fixes gitlab-org/gitlab#337217 (closed)
- Fixes gitlab-org/gitlab#337743 (closed)
- Fixes gitlab-org/gitlab#402200 (closed)
- Fixes gitlab-org/gitlab#370562 (closed)
- Fixes gitlab-org/gitlab#263474 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer